Fourth CERT document is leaked online

In what appears to have been the fourth such incident last week, an individual using the name "hack4life" sent another internal CERT Coordination Center memo to an online discussion list on March 21, detailing a product vulnerability that hadn't yet been disclosed.

The leaked e-mail message, from Ian Finlay, an Internet systems security analyst at CERT, concerned a message from Microsoft Corp. to the Pittsburgh-based organization regarding a vulnerability in Web redirectors, which forward a visitor from one Internet domain to another.

Microsoft is concerned that such sites are being used by organizations and individuals to disguise the source of spam e-mail, making it look like it comes from legitimate sources, according to Finlay's message. In addition, the widespread exploitation of such redirection servers, which are calibrated to handle an expected volume of traffic, could constitute a denial-of-service attack against the organizations that use those servers, Finlay wrote.

In a note that preceded the leaked e-mail, the individual responsible for posting the message apologized to the hacker community for the low severity level of the reported problem. "Your mileage with this vulnerability may vary; some people will think it's irrelevant; some may be able to make use of it," hack4life wrote. "CERT obviously thinks it's worth while, so I've take [sic] the choice out of their hands too and released it anyway," the note said.

The leaked e-mail regarding the Web page redirect problem follows three similar posts, apparently from the same individual, on March 16. Those vulnerabilities concerned security problems being researched by CERT but not yet disclosed to the public:

  • A buffer-overflow vulnerability in a software library used by many Unix and Linux operating systems and applications.
  • A technique for attacking and breaking encryption on Web servers that use Secure Sockets Layer (SSL) encryption.
  • Cryptographic vulnerabilities in the Kerberos Version 4 protocol that could allow an attacker to impersonate a user in a Kerberos realm and gain privileged access.

CERT said it believes that all of the leaks came from information shared with vendors. "The particular text that he posted was taken directly from e-mail messages sent to the vendor community," said Shawn Hernan, team leader for vulnerability handling at CERT.

The organization customarily shares such information with vendors when it's developing vulnerability notices and alerts, Hernan said. The organization had narrowed its focus to "a fairly sizable group" of those vendors with which CERT has long-standing relationships, Hernan said.

CERT encrypts correspondence about vulnerabilities when it sends that information to vendors. Each vendor maintains its own unique encryption key for deciphering and viewing the information after it's received. To view information in the message, an intruder would have to defeat the Pretty Good Privacy or SSL keys used to encrypt the comment, which Hernan said was "highly unlikely." If the messages were stored in decrypted form on a compromised e-mail server, an intruder could also obtain the information that way.

The most likely scenario, however, is that the culprit was in a position to obtain the decrypted information, possibly as part of a development team assigned to evaluate or fix the problems, Hernan said. He discounted that a CERT employee leaked the information, saying CERT insiders have access to more sensitive issues that would be more attractive targets for premature disclosure than the items published by hack4life.

CERT is working with the software vendors that are most likely to be affected by the premature disclosures and is taking other measures to respond to the leaks, Hernan said. If the person responsible for the leak is a "maverick" employee of one of the vendors CERT is communicating with, however, it may be difficult to prevent future disclosures.

CERT wouldn't comment on whether law enforcement authorities had been contacted concerning the leaks, but the difficulty in determining the location of the person responsible for the leaks could complicate any criminal investigation, Hernan said.

The organization, which is affiliated with Carnegie Mellon University, said it will continue to thoroughly research the leaked issues before publishing an alert. "We feel there's a real benefit in making sure issues are properly scoped and researched before they are made public," Hernan said.

However, the premature disclosures changed the priority of those issues, he said. Publishing product vulnerabilities before a patch is available doesn't send a message about the benefits of full disclosure, but means that research on more important vulnerabilites must be postponed so that vendors can address the leaked problems, he said.

"I have no quarrel with the full-disclosure community, but I do have a quarrel with the stupid-disclosure community," Hernan said.


Copyright © 2003 IDG Communications, Inc.

Shop Tech Products at Amazon